Tag Archives: wireshark

After upgrading windows 11, Wireshark can’t get list of interfaces: packetgetadapternames reports an error

Question

After win10 is upgraded to win11, Wireshark displays Wireshark can’t get list of interfaces: packetgetadapternames: the system cannot find the specified path
packetgetadapternames is an API of WinPcap. Wireshark captures packets based on WinPcap or npcap. When installing Wireshark, an npcap or usbpcap will be automatically installed. I guess npcap or usbpcap may disappear after upgrading the system, so uninstall Wireshark and reinstall it. Just install npcap or usbpcap

solve

Remember to check all these options when uninstalling

(transfer) using Wireshark package capture software to prompt the NPF driver isn’t running solution

Wireshark is a powerful packet capture analysis tool. When it is first used on win7/10 64 bit system, unexpected situations may occur. The NPF driver isn’t running. This may be because WinPcap driver is not installed or WinPcap option is not selected when WinPcap is installed.

resolvent:

    WinPcap is not installed. Generally, there is an installation package with WinPcap in the installation directory of Wireshark. The installation package of the green version of Wireshark is usually in the following location: wiresharkportable/APP/Wireshark/WinPcap_ x_ x_ x.exe。 Run the installation once, and then restart the system. Note that there is an auto start option to be selected during the installation process. Otherwise, you may need to manually start the NPF driver every time you use Wireshark. If the installation of WinPcap is wrong, please try to uninstall WinPcap first, and restart the system after the uninstall is completed. If there is a file locking error during the uninstall process, you do not need to pay attention to it. When you restart the computer and re install WinPcap, you may be prompted that WinPcap has been installed in your system. You don’t need to worry about it. Just continue to install it. After the installation, restart the system so that Wireshark can be used normally

    3. None of the above two situations can be solved. First, you need to confirm whether the NPF service has been installed in the system correctly. First, you need to confirm whether the npf.sys file exists in the folder C: windows?System32?Drivers. If the file does not exist, please re install WinPcap. If the file exists, then run CMD (win7/Vista user needs to press start, input CMD search, right-click the icon of cmd.exe in the search program results, and select run as administrator.

    3.1 enter the command to query whether the NPF service is installed

    C:\Windows\system32> sc qc npf
    [SC] QueryServiceConfig SUCCESS

    SERVICE_ NAME: npf
    TYPE : 1 KERNEL_ DRIVER
    START_ TYPE : 2 AUTO_ START
    ERROR_ CONTROL : 1 NORMAL
    BINARY_ PATH_ NAME : system32\drivers\npf.sys
    LOAD_ ORDER_ GROUP :
    TAG : 0
    DISPLAY_ NAME : NetGroup Packet Filter Driver
    DEPENDENCIES :
    SERVICE_ START_ Name:
    with the above results, the output is normal. If not, re install WinPcap and try again.

    3.2 start NPF service manually:

    C:\Windows\system32> SC start NPF
    if there is no error prompt, Wireshark can be used normally.

    3.3 if start in the query result of NPF service_ The value of type is not auto_ If you want to start, you don’t want to run the NPF driver manually every time. You can use the following command to change the NPF service to start automatically.

    C:\Windows\system32> sc config npf start= auto

    The source text of the post is from the website
    and http://blog.sina.com.cn/s/blog_ 718ccdb90102uzqr.html

The NPF driver isn’t running. You may have trouble capturing or listing interfaces

The processing method of “the NPF driver isn’t running. You may have trouble capturing or listing interfaces (as shown)” appears in Wireshark packet capturing tool

First of all, you have to make sure that you have installed WinPcap (it’s better to download the latest version: official download, which seems to be unable to be opened by the official, and it can also be downloaded by the Chinese Army)

a. If you are using Linux or Ubuntu, please use & gt$ The Su administrator command switches to the account with the highest authority, and then enters the command: “net start NPF” (if not, find a similar command yourself). b. If you are using Windows XP/me, please use the administrator account to log in, open CMD, and enter the command: “net start NPF”. You will be prompted to open the driver service successfully. c. If you are using Windows Vista or windows 7 that I tried out, please find the file cmd.exe under “C::?Windows?System32”, right-click and select “run as administrator”, and then enter the command “net start NPF” in the command line mode to successfully open the NPF driver. It should be that the npf.sys file I found earlier has been opened.

Finally, turn on Wireshark again, and “bingo” will work normally.

See

Wireshark can’t find a solution to capture interface

After installing Wireshark, in the “Capture “-> “Options” does not have a single capture interface.
Question why
Win10 compatibility issues caused. is required to uninstall Winpcap and reinstall Win10pcap
The solution
(a) to download and install win10Pcap, download links: http://www.win10pcap.org/download/
note: prior to install Wireshark off, otherwise an error during the installation.


n>

Program RPC 1726 error tracking

Recently, I encountered a headache in the client environment. One node successfully connected to another node via RPC, but returned 1726 error when sending THE RPC message.
The error message
First take a look at the MSDN explanation, “this remote call failed”, this sentence information content is really too little ah, there is an error I must know is the remote call failed ah.

RPC_S_CALL_FAILED
1726 (0x6BE)
The remote procedure call failed.

However, Google also rarely had a definitive explanation for the tracking of RPC 1726 errors. What did they do?The customer is urging again, help me to solve quickly!! I searched the company’s internal cases on this issue, most of them were caused by firewalls, and many of them were non-Windows built-in firewalls, such as IPS, SOME IBM suites, etc… However, it was found that the Windows firewall had been shut down on the customer’s machine, and there was no suspicious third-party firewall software. Is there a firewall between the two nodes?The client said that the firewall of the intermediate node would not block any communication with RPC… Well, always be suspicious of what customers say, and it turns out they’re wrong.

This is both a review of the code and a constant search for ways to track the problem. Customers are also anxious to urge, at this time found a Microsoft technical article described as follows:

Explanation
A server connection was lost while the server was attempting to perform a remote procedure call. It is unknown whether the remote procedure call executed, or how much of it executed. The connection might have broken because of a problem with the network hardware or because a process terminated.

   
User Action
Wait a few minutes and then try the operation again. If this message reappears, check the server or try to connect to another server. You might also have to check the integrity of the network. If the problem persists, contact the supplier of the running application.

First of all, Microsoft has said that this problem is usually caused by two possible causes: network hardware problems (which should be counted as network firewall problems) or RPC Server process termination. To be sure, our RPC Server process has not terminated, so you have to be suspicious of network reasons!

The problem tracking
This direction was clear enough, so we used unmixed mode capture on both the Client and Server sides of RPC in the Client environment. Capturing packets in unmixed mode ensures that all network packets are captured with a specified native network card. Set Wireshark’s unmixed mode as shown below, and start capturing packets:

The RPC 1726 error problem is then reproduced, stopping the Client side and the Server side from capturing packets. To begin the analysis, set the following filter in the Wirehshark filter on the Client side: 

(ip.src_host==x.x.x.98 && ip.dst_host==x.x.x.207) || ((ip.src_host==x.x.x.207 && ip.dst_host==x.x.x.98)) && dcerpc

X.x.x.x.98 is the IP address of the Client, and x.x.x.207 is the address of the Server. This filtering means that only the RPC package with interaction between the Client and the Server is shown (in our program, the default is TCP/ IP-based RPC communication). We did not receive a Response package from the Server!


Is that a problem that RPC Server handles?On the Server side, we used the same Wireshark Filter to Filter out the RPC package communicated between Client and Server, and we did not find that we received the RPC Request. The network packet was swallowed by the network firewall. Although at this time it can be basically proved that it is not the problem of our product itself, but is there more powerful evidence?
TCP connection Reset
At this time, take a look at TCP packets. First, the following filters are adopted on the Client side:

(ip.src_host==x.x.x.98 && ip.dst_host==x.x.x.207) || ((ip.src_host==x.x.x.207 && ip.dst_host==x.x.x.98))

As you can see in the figure below, after sending Request No. 3372, you received a TCP Reset packet!! That’s what firewalls do all the time. In other words, the Client and Server are disconnected.


Does the connection Reset really come from the Server to the Client?After analyzing the Server with the same Wireshark Filter, it is found that the Server did not send the TCP Reset packet and received the TCP Reset packet with IP Source as Client at the same time. It can be found from the Wireshark capture packet of the Client that the Client did not send the TCP Reset packet to the Server. Then this time is basically sure that the Client and Server in the middle of a node of the firewall, shut down this connection!!
It looks like we’re almost done, and since the root cause isn’t our product, it’s time for their webmasters to find out. But the customer always thinks their firewall is ok, he just wants our product to work properly… Since the customer is in the United States, it is Webex every time. In such a network environment, it is more suitable for the network administrator to slowly catch up and investigate.
We hope that the administrator will find them, but they do not cooperate with us, so we have to make our product run normally, so we can only find other feasible solutions. Finally, the feasible solution is to use RPC based on Namepiped for communication, which is a last resort.

Refer to the article
RPC Error:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System& ProdVer = 5.0 & amp; EvtID=1726& EvtSrc=RPC

Packet Title: logs.pcapng

Wireshark packet analysis (logs. Pcapng)

  1. USES Wireshark to view and analyze the logs.pcapng packet file under Kali desktop. Through analyzing the packet logs.pcapng, it finds the 9th file scanned by the malicious user directory and USES the file name as FLAG (form: [robots.txt])

flag: [star] PHP

  1. continues to view the packet file logs. Pcapng analyzes which ports the malicious user scans and USES all ports as flags (form: [port name 1, port name 2, port name 3… port name n]) from low to high

flag: [21,80,445,1433,3306,3389,500